npm audit - moderate vulnerabilities in deep json-schema dependency

[perry-mitchell]

Getting a handful of vulnerability warnings with this package when running npm audit on the latest version:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > node-gyp > request >           │
│               │ http-signature > jsprim > json-schema                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > @npmcli/run-script > node-gyp  │
│               │ > request > http-signature > jsprim > json-schema            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > pacote > @npmcli/run-script >  │
│               │ node-gyp > request > http-signature > jsprim > json-schema   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > @npmcli/arborist > pacote >    │
│               │ @npmcli/run-script > node-gyp > request > http-signature >   │
│               │ jsprim > json-schema                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > @npmcli/arborist >             │
│               │ @npmcli/metavuln-calculator > pacote > @npmcli/run-script >  │
│               │ node-gyp > request > http-signature > jsprim > json-schema   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > libnpmexec > @npmcli/arborist  │
│               │ > @npmcli/metavuln-calculator > pacote > @npmcli/run-script  │
│               │ > node-gyp > request > http-signature > jsprim > json-schema │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘

With no clear way to fix this.

[antongolub]

cc @travi , @gr2m

Suggestion: remove npm dependency. I still believe that the plugin always invokes global npm, so this dependency is completely useless.

Have a look:

npm/lib/publish.js

Line 23 in 708c29b

const result = execa(

npm is called via execa. It is just a wrapper for child_process.exec by default. cp uses $PATH to find util ref, and it knows absolutely nothing about node_modules/.bin/npm.

git clone ... && npm i
npm -v
6.14.13

node -e "console.log(require('execa').sync('npm', ['-v']).stdout)"
6.14.13

node -e "console.log(require('./node_modules/npm/package.json').version)"
7.24.2

if we want execa to call the plugins's own npm version, we should pass preferlocal option.

node -e "console.log(require('execa').sync('npm', ['-v'], {preferLocal: true}).stdout)"
7.24.2

[gr2m]

We had this discussion before, I think more than once. I don't have the time to dig it out.

It would be good if we could document the reasoning so that the same discussion doesn't pop up again

[antongolub]

@gr2m, @travi,

from execa@2.0.0, preferLocal is set to false by default. The plugin uses ^5.0.0 now.

I have some time to dig )
#177, 2 Jul 2019, execa 1.0.0 → 2.0.2

https://github.com/sindresorhus/execa/releases/tag/v2.0.0
sindresorhus/execa#314
sindresorhus/execa@eb22ff7

[kf6kjg]

They've gone from moderate to high. The following is after a fresh checkout of master.

$ npm ci
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated codecov@3.8.3: https://about.codecov.io/blog/codecov-uploader-deprecation-plan/
npm WARN deprecated argv@0.0.2: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

added 1169 packages, and audited 1380 packages in 41s

215 packages are looking for funding
  run `npm fund` for details

9 vulnerabilities (5 moderate, 4 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

$ npm outdated
Package          Current  Wanted  Latest  Location                      Depended by
aggregate-error    3.1.0   3.1.0   4.0.1  node_modules/aggregate-error  npm
ava                5.1.0   5.1.0   5.2.0  node_modules/ava              npm
execa              5.1.1   5.1.1   6.1.0  node_modules/execa            npm
got               11.8.6  11.8.6  12.5.3  node_modules/got              npm
normalize-url      6.1.0   6.1.0   8.0.0  node_modules/normalize-url    npm
npm               8.19.3  8.19.3   9.4.1  node_modules/npm              npm
p-retry            4.6.2   4.6.2   5.1.2  node_modules/p-retry          npm
read-pkg           5.2.0   5.2.0   7.1.0  node_modules/read-pkg         npm
tempy              1.0.1   1.0.1   3.0.0  node_modules/tempy            npm
xo                0.36.1  0.36.1  0.53.1  node_modules/xo               npm

$ npm audit
# npm audit report

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install xo@0.53.1, which is a breaking change
node_modules/xo/node_modules/glob-parent
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/xo/node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/xo/node_modules/globby
      xo  0.4.0 - 0.41.0
      Depends on vulnerable versions of globby
      Depends on vulnerable versions of update-notifier
      node_modules/xo

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install xo@0.53.1, which is a breaking change
node_modules/package-json/node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier

http-cache-semantics  <4.1.1
Severity: moderate
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix`
node_modules/npm/node_modules/http-cache-semantics

9 vulnerabilities (5 moderate, 4 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force